Fair Vote Canada
March 2, 2024
•[ leak, misconfiguration, government ]
In March 2024, the Canadian national citizens' campaign for proportional representation Fair Vote Canada suffered a data breach. The incident was attributed to "a well-meaning volunteer" who inadvertently exposed data from 2020 which included 134k unique email addresses, names, physical addresses, phone numbers and, for some individuals, date and amount of a donation.
Mr Green Gaming
March 1, 2024
•[ leak, misconfiguration ]
Mr Green Gaming, a game community, suffers a breach when an inactive admin account is exploited, resulting in the leak of personal details belonging to 27,000 members.
Life360
March 1, 2024
•[ leak, misconfiguration, manufacturing ]
A threat actor has leaked a database containing the personal information of 442,519 Life360 customers collected by abusing a flaw in the login API.
Life360
March 1, 2024
•[ leak, misconfiguration, technology ]
In July 2024, data scraped from a misconfigured Life360 API was posted online after being obtained several months earlier. The records included 443k unique email addresses and in most cases, corresponding names and phone numbers (some records were null or obfuscated). Life360 promptly notified impacted users after the incident was discovered.
Cutout.Pro
February 26, 2024
•[ hack, misconfiguration, technology ]
In February 2024, the AI-powered visual design platform Cutout.Pro suffered a data breach that exposed 20M records. The data included email and IP addresses, names and salted MD5 password hashes which were subsequently broadly distributed on a popular hacking forum and Telegram channels.
Tangerine
February 18, 2024
•[ leak, misconfiguration, technology ]
In February 2024, the Australian Telco Tangerine suffered a data breach that exposed over 200k customer records. Attributed to a legacy customer database, the data included physical and email addresses, names, phone numbers and dates of birth. Whilst the Tangerine login process involves sending a one-time password after entering an email address and phone number, it previously used a traditional password which was also exposed as a bcrypt hash.
Davlyn Investments Property Management
February 14, 2024
•[ hack, misconfiguration ]
Davlyn Investments Property Management files a notice of data breach after discovering that an unauthorized party was able to access its IT network.
Cooper Aerobics
February 3, 2024
•[ hack, misconfiguration, healthcare ]
Cooper Aerobics files a notice of data breach after discovering unauthorized access to its computer network.
Spoutible
January 31, 2024
•[ leak, misconfiguration, technology ]
In January 2024, Spoutible had 207k records scraped from a misconfigured API that inadvertently returned excessive personal information. The data included names, usernames, email and IP addresses, phone numbers (where provided to the platform), genders and bcrypt password hashes. The incident also exposed 2FA secrets and backup codes along with password reset tokens.
Unknown Healthcare organization in Thailand
January 22, 2024
•[ leak, misconfiguration, healthcare ]
A threat actor named Soni posts a leaked database related to healthcare. The data breach consists of 25.5k records of user information including ID, user URL, encrypted passwords (phpass), user emails, login details, account status, display names, registration dates, and user activation keys.
Trello
January 22, 2024
•[ leak, misconfiguration, technology ]
A threat actor with the moniker of 'emo' leaks the private emails of 15,115,516 Trello members, using an exposed Trello API to link private email addresses with Trello accounts, enabling the creation of millions of data profiles containing both public and private information.
Ashford
January 19, 2024
•[ hack, misconfiguration, finance ]
Ashford files a notice of data breach after discovering that an unauthorized actor was able to access and acquire information stored on the companys IT network.
Trezor
January 17, 2024
•[ hack, misconfiguration, manufacturing ]
Trezor issues a security alert after identifying a data breach due to unauthorized access to their third-party support ticketing portal.
CGI Federal
January 17, 2024
•[ hack, misconfiguration, government ]
The Government Accountability Office warns of a breach resulting in the compromise of data associated with thousands of current and former employees. The attack was carried out exploiting the CVE-2023-22515 Atlassian vulnerability from one of its contractors, CGI Federal.
Orange Spain
January 2, 2024
•[ hack, misconfiguration, technology ]
Orange Spain suffers an internet outage after an attacker with the moniker of 'Snow' breaches the company's RIPE account to misconfigure BGP routing and an RPKI configuration.
